TripWire in K8s cluster help?

Help needed
  • post-author-pic
    Chad C

    Tripwire is a host-based intrusion detection system.   It runs both static and dynamic analysis on container images.  It checks API server settings, scheduler profiling, configuration files, controller management, etcd-certfile and etcd-keyfile settings, security primitives, worker node security configuration, kubelet argument settings, configuration file permissions, and federated deployments.

    Install Tripwire:

    sudo apt-get install tripwire
    Tripwire uses two keys to secure its configuration files.  A site key and a local key. A site key is used to secure the configuration files.  The local key is used on each machine to run the binaries.
    *choose and confirm a site key passphrase
    Create a Policy File:
    sudo twadmin --create-polfile /etc/tripwire/twpol.txt
    This creates an encrypted policy file in /etc/tripwire
    Initialize the Database:
    sudo tripwire --init
    Run the check and place the files listed into the config directory:
    sudo sh -c 'tripwire --check | grep Filename > test_results'
    Modify the policy file:
    sudo nano /etc/tripwire/twpol.txt
    Comment out /etc/rc.boot in the policy file:
    #/etc/rc.boot            -> $(SEC_BIN) ;
    *Comment out all other items in the policy file that aren't present on your system.
    Recreate the policy file so Tripwire can read it:
    sudo twadmin -m P /etc/tripwire/twpol.txt
    Re-initialize the database:
    sudo tripwire --init
    Verify the Configuration:
    sudo tripwire --check
    Setup email notifications:
    sudo apt-get install mailutils
    sudo tripwire --check | mail -s "Tripwire report for `uname -n`"
    Update the database:
    sudo tripwire --check --interactive
    Automate Tripwire with Cron:
    sudo crontab -e
    Have Tripwire run at 3:30am every day:
    30 3 * * * /usr/sbin/tripwire --check | mail -s "Tripwire report for `uname -n`"

Looking For Team Training?

Learn More